Enterprise risk management (ERM) systems that could enable climate risks to be addressed more comprehensively are slowly gaining traction among international organizations, but ERM remains insufficiently embedded in institutional cultures and structures.
Enterprise risk management (ERM) is a broad term that describes a structured process for identifying, prioritizing and acting upon risks at an institutional (or ‘enterprise’) level. The approach first gained currency in the 1990s, and was initially used in the private sector before being taken up by many governments. However, only in the past decade and a half has the international system started – slowly and unevenly – to adopt ERM. There are a variety of iterations and degrees of formality of ERM, but most share four common elements.
The first is a structured risk assessment to prioritize risks objectively through a calculation of their likelihood and impact. These risks are typically documented in a risk register. This permits the second main element of ERM: the implementation of risk mitigation measures. These measures may seek to reduce the risk itself (such as by improving security protocols for staff in conflict zones) or to mitigate the consequences of hazards that are out of the direct control of the organization (such as relocating stores of humanitarian supplies away from flood-prone areas). The third element is continual monitoring of the risks, as well as of the mitigation measures to keep track of whether the latter are having the desired effect. The final element is reporting and learning to ensure that risk management remains a dynamic process that responds to the needs of the organization and the risks that it faces in its daily work.
The ultimate aim of ERM is to help organizations deliver their core objectives by identifying issues that would otherwise derail their achievement. It integrates risk management into the strategic and decision-making processes across an organization, replacing the outdated practice of managing risks within functional silos. Done well, ERM helps international organizations and similar agencies identify, prioritize and respond to the risks they face in a manner that can improve decision-making and programme outcomes in the face of uncertainty.
The ultimate aim of ERM is to help organizations deliver their core objectives by identifying issues that would otherwise derail their achievement.
The UN has recognized ERM as an essential element of good governance. In 2006 the UN General Assembly passed Resolution 61/245 endorsing the adoption of ERM across the UN system. In 2010 the UN’s Joint Inspection Unit (JIU) conducted a review of ERM in the UN. The review noted that the implementation of ERM had been slow and was often based on ad hoc decisions rather than defined policy. The JIU proposed 10 benchmarks to encourage other UN agencies, funds and programmes to integrate ERM into their organizational processes and culture.
A decade later, in 2020, the JIU revisited the issue to evaluate how effectively the UN had implemented risk management systems. The review did find progress in terms of ERM adoption: 25 of the 28 agencies, funds and programmes surveyed by the JIU had an ERM policy of some sort. However, the review also noted that many organizations were still developing or refining their policies and practices, and that several entities had only recently begun to develop ERM systems.
Examples of ERM systems in international organizations
In general, large, field-based organizations have made the greatest progress in instituting ERM systems across their operations. The 2018 ERM policy of the World Food Programme (WFP) stipulates that risks be assessed at three levels: the entity level, programme level and activity level. WFP has created a number of tools to inform and professionalize its risk approach: a risk catalogue, a dashboard for risk monitoring, risk ‘heat maps’ to indicate areas of elevated and reduced risk, and so on. This process is overseen by a chief risk officer who reports to the assistant executive director for resource management, and who oversees risk and compliance advisers based in regional bureaus and country offices. A corporate risk register is maintained to ensure that high-level risks faced by WFP are regularly monitored by its executive management group.
The office of the UN High Commissioner for Refugees (UNHCR) introduced a formal ERM policy in 2014. At UNHCR headquarters in Geneva, a chief risk officer, reporting directly to the deputy high commissioner, leads an ERM unit and coordinates a network of field-based risk experts. Between 2017 and the end of 2019, the number of such risk experts increased from three to 33 (out of more than 17,000 staff), including two roving risk advisers supporting country teams with technical assistance and training. UNHCR is currently revising its ERM system: 2,600 staff have completed an ERM e-learning course, and the organization is introducing the concept of ‘risk appetite’ in its strategic planning.
Barriers to better risk management
On the whole, international organizations have been slow to adopt professionalized risk management. There are several reasons for this.
One is a lack of ‘risk literacy’, meaning that international organizations often undervalue the importance of risk management per se. This may be because the relationship between risk and performance in the international sector is not as obvious as in other sectors, such as banking and insurance, where poor risk management can have an immediate impact on the bottom line. One person interviewed in the research for this paper noted that different people within a given organization tend to have very different understandings of risk. This seems to result in a somewhat binary combination of approaches: at one extreme, major risks may be entirely ignored; at the other end of the scale, there can be an overly cautious effort to reduce all risks to zero. Neither approach is sustainable over the long term.
A second reason for the slow uptake of ERM is the nature of strategic planning (and its timetabling) in the international system. Most organizations arrange their work based on four-year or five-year strategic plans. However, planning in UN organizations can be a lengthy process. The time needed for consultation – both internally and with member states – before a strategic plan is implemented means that three to four years can often elapse between the initiation of a planning process and the start of the relevant plan’s implementation. By the time each programme is finished, eight or so years may therefore have passed since its conception, meaning that the risk environment may have changed significantly compared to what was originally envisaged.
A third constraint on ERM adoption is the way in which international organizations are governed and funded, with each organization answerable to a governing ‘board’ that can consist of up to 195 member states. This arrangement favours leaders who stick with tried and tested methods of governance. It builds path dependency into the system, and inhibits reform. In addition, UN strategic plans are often more like politically negotiated statements of intent rather than documents based on a genuine discussion of risk. The need to cater to the political interests of member states can impede or obscure frank discussions about risk, and can occasionally result in a focus on political rhetoric rather than on finding pragmatic ways to deal with real-world problems.
A fourth issue is that organizations may ignore or avoid risk management as it almost always involves costs and difficult trade-offs. Risk mitigation takes time and effort, and may be resisted internally if seen as constraining, rather than enabling, policy action. This tends to result in a hazard-by-hazard approach to risk reduction, where different risks (such as those around fraud, business disruption and threats to staff security) are dealt with separately, rather than as part of an overall risk and resilience system. As a result, despite the fact that many international organizations operate in increasingly complex environments, internalizing risk management into governance processes is still a work in progress for many organizations.
Meanwhile, the fragmented nature of the multilateral system itself can complicate risk management, especially in relation to multifaceted challenges such as climate change that cascade across sectors in an increasingly connected world. The international system is largely split into silos of expertise (health, agriculture, environmental issues, and so on). The incentives of funding and self-preservation often result in organizations jealously guarding their own institutional ‘turf’. This inhibits cooperation in respect of multidimensional risks, such as the health impacts of environmental change and the impacts of climate change on trade.